GoDaddy makes buying an SSL certificate easy, but their installation instructions for Apache on Ubuntu are hard to follow. This guide walks through purchasing and installing a GoDaddy SSL certificate on an Apache Ubuntu 18.04 server running a WordPress single site.
Prerequisite: You'll need SSH access to your Ubuntu server. Install and activate the Really Simple SSL WordPress plugin before you begin.
Step 1 — Generate a CSR and private key
Connect to your server (e.g. an AWS EC2 instance) using your PEM key and server address. Update the system and install OpenSSL:
$ sudo apt-get update
$ sudo apt-get install opensslNavigate to the SSL directory:
$ cd /etc/ssl/certs/Generate the CSR and private key (replace yourdomain with your actual domain):
$ sudo openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csrEnter the requested information — country, state, organization, and email. Your Common Name should be your domain name (e.g. launchpaddigital.io). Extra attributes are optional.
Step 2 — View and copy the CSR and key
View your private key:
$ sudo cat yourdomain.keyCopy the contents — including the BEGIN PRIVATE KEY and END PRIVATE KEY tags — and save them somewhere secure. Then move the key into the private directory:
$ sudo mv yourdomain.key /etc/ssl/private/yourdomain.keyView the CSR:
$ sudo cat yourdomain.csrCopy the CSR contents, including the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST tags.
Step 3 — Request the SSL certificate
Purchase your GoDaddy SSL certificate, log into your account, and open the Certificate Setup page. Click Input a CSR, paste your CSR text (including the tags) into the form, and continue.
Step 4 — Verify domain ownership
If the certificate is in the same GoDaddy account as your domain, verification happens automatically. Otherwise choose one of these methods:
- GoDaddy emails a verification link to
admin@,administrator@,hostmaster@,postmaster@, orwebmaster@on your domain - Verify ownership via DNS or HTML if you can't set up those email addresses
Your certificate is usually issued within one business day, often faster.
Step 5 — Download and copy the certificate files
Once issued, download the certificate from GoDaddy, selecting Apache as the server type, and extract the zip. Copy the files to your server (replace the file names and paths):
$ sudo scp -i "yourAWSpemKeyHere.pem" file/to/copy ubuntu@ec2-XXX-XXX-XXX-XXX.us-[your-region].compute.amazonaws.com:/etc/ssl/certsIf you hit permission errors, temporarily loosen the folder permissions:
$ sudo chmod 777 /etc/ssl/certsConfirm the files are present, then restore proper permissions:
$ ls
$ sudo chmod 755 /etc/ssl/certsStep 6 — Configure Apache to use SSL
Create a configuration snippet with strong encryption settings:
$ sudo nano /etc/apache2/conf-available/ssl-params.confAdd the following (based on Cipherli.st recommendations):
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
# Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
# Requires Apache >= 2.4
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
# Requires Apache >= 2.4.11
SSLSessionTickets OffBack up the default SSL Virtual Host file, then open it:
$ sudo cp /etc/apache2/sites-available/default-ssl.conf /etc/apache2/sites-available/default-ssl.conf.bak
$ sudo nano /etc/apache2/sites-available/default-ssl.confReplace its contents with the following (update the email, domain, and file names):
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin your_email@yourdomain.com
ServerName yourdomain.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
AllowOverride All
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/GoDaddy.crt
SSLCertificateChainFile /etc/ssl/certs/gd_bundle-g2-g1.crt
SSLCertificateKeyFile /etc/ssl/private/yourdomain.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>Enable the required modules, the SSL Virtual Host, and the params config:
$ sudo a2enmod ssl
$ sudo a2enmod rewrite
$ sudo a2enmod headers
$ sudo a2ensite default-ssl
$ sudo a2enconf ssl-paramsAllow URL rewrites by opening the default virtual host:
$ sudo nano /etc/apache2/sites-available/000-default.confUpdate it with your ServerName and Directory settings:
<VirtualHost *:80>
ServerAdmin your_email@yourdomain.com
ServerName yourdomain.com
DocumentRoot /var/www/html
<Directory /var/www/html/>
AllowOverride All
</Directory>
. . .Create the .htaccess file in your document root, set ownership and permissions:
$ sudo touch /var/www/html/.htaccess
$ sudo chown :www-data /var/www/html/.htaccess
$ sudo chmod 664 /var/www/html/.htaccess
$ sudo nano /var/www/html/.htaccessAdd the rule to redirect HTTP traffic to HTTPS:
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://yourdomain.com/$1 [R=301,L]Check the configuration for syntax errors, then restart Apache:
$ sudo apache2ctl configtest
$ sudo systemctl restart apache2A successful check returns Syntax OK. If ServerName isn't set globally you'll see a notice, but it won't cause problems.
Step 7 — Activate SSL in WordPress
Back in the WordPress admin dashboard, refresh the page. The site should switch to HTTPS automatically and the Really Simple SSL warning should disappear. Verify under Settings › General that both the WordPress Address and Site Address use https.